Router#conf ter
Router(config)#hostname R1
R1(config)#int fa0/1
R1(config-if)#ip add 13.1.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int fa0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R2
Router#conf ter
Router(config)#hostname R2
R2(config)#int fa 0/1
R2(config-if)#ip add 23.1.1.2 255.255.255.0
R2(config-if)#no sh
R3
Router#conf terminal
Router(config)#hostname ISP
ISP(config)#int fa 0/0
ISP(config-if)#ip add 13.1.1.3 255.255.255.0
ISP(config-if)#no sh
ISP(config-if)#int fa0/1
ISP(config-if)#ip add 23.1.1.3 255.255.255.0
ISP(config-if)#no sh
ISP(config-if)#exit
ISP(config)#int lo0
ISP(config-if)#ip add 3.3.3.3 255.255.255.255
PC1
Router#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname PC1
PC1(config)#no ip routing
PC1(config)#int fa 0/0
PC1(config-if)#ip add 192.168.1.2 255.255.255.0
PC1(config-if)#no sh
PC1(config-if)#exit
PC1(config)#default gateway 192.168.1.1
PC2
Router#conf ter
Router(config)#hostname PC2
PC2(config)#no ip routing
PC2(config)#int fa 0/0
PC2(config-if)#ip add 192.168.2.2 255.255.255.0
PC2(config-if)#no sh
PC2(config-if)#exit
PC2(config)#default gateway 192.168.2.1
在R1和R2上配置NAT
R1
/配置ACL,对IPSec VPN的流量不做NAT/
R1(config-if)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R1(config)#access-list 100 permit ip any any
//设置内外口
R1(config)#int fa 0/0
R1(config-if)#ip nat inside
R1(config-if)#int fa f0/1
R1(config-if)#ip nat outside
R1(config)#ip nat inside source list 100 interface fastEthernet0/1 overload
//ip nat inside source list的参数说明如下:
语法:ipnat inside source list access-list-number {pool pool-name | interfaceinterface-id}[overload]
参数
access-list-number:访问控制列表的表号。它指定由哪个访问控制列表来定义源地址的规则.
pool-name:IP地址池名字。该地址池定义了用于NAT转换的内部全局地址。
interface-id:接口号。指定用该接口的IP地址作为内部全局地址。
overload:启用端口复用,使每个全局地址可以和多个本地地址建立映射,在多对一的nat转换中才会使用overload,以使多个地址同时通过一个nat地址来通信,如果不加此命令则一个时间片内只有一条内部地址可以通信。此命令在nat地址下加子接口。
//配置静态地址
R1(config)#ip route 0.0.0.0 0.0.0.0 13.1.1.3
R2
/配置ACL,对IPSec VPN的流量不做NAT/
R2(config)#access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
R2(config)#access-list 100 permit ip any any
//设置内外口
R2(config)#int fa0/1
R2(config-if)#ip nat outside
R2(config-if)#int fa 0/0
R2(config-if)#ip nat inside
R2(config)#ip nat inside source list 100 interface fastEthernet 0/1 overload
//配置静态地址
R2(config)#ip route 0.0.0.0 0.0.0.0 23.1.1.3
PC1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max =32/43/52 ms
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 13.1.1.1:1 192.168.1.2:1 3.3.3.3:1 3.3.3.3:1
PC2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max =80/94/104 ms
R2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 23.1.1.2:0 192.168.2.2:0 3.3.3.3:0 3.3.3.3:0
验证VPN连通性
R1#clear ip nat translation *
PC1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max =56/348/1192 ms
R1#show ip nat translations
//NAT转换表项是空的,表面VPN流量没有经过NAT转换
R2#clear ip nat translation *
PC2#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =60/64/72 ms
R2#show ip nat translations
查看阶段1的IKE策略
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R2#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
查看阶段1是否协商成功
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
23.1.1.2 13.1.1.1 QM_IDLE 10020 ACTIVE
IPv6 Crypto ISAKMP SA
R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
23.1.1.2 13.1.1.1 QM_IDLE 10010 ACTIVE
IPv6 Crypto ISAKMP SA
查看阶段2的IPSec传输集安全协议
R1#show crypto ipsec transform-set
Transform set myset: { esp-3des }
will negotiate ={ Tunnel, },
R2#show crypto ipsec transform-set
Transform set myset: { esp-3des }
will negotiate ={ Tunnel, },
查看数据连接SA的状态
R1#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: mymap, local addr 13.1.1.1
protected vrf: (none)local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 23.1.1.2 port 500
PERMIT, flags={origin_is_acl,}#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 12, #recv errors 0local crypto endpt.: 13.1.1.1, remote crypto endpt.: 23.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x36685AEC(912808684)
inbound esp sas:
spi: 0x3FA4EAED(1067772653)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4492090/3177)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x36685AEC(912808684)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4492090/3177)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: mymap, local addr 23.1.1.2
protected vrf: (none)local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 13.1.1.1 port 500
PERMIT, flags={origin_is_acl,}#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 23.1.1.2, remote crypto endpt.: 13.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x3FA4EAED(1067772653)
inbound esp sas:
spi: 0x36685AEC(912808684)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4500995/3171)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3FA4EAED(1067772653)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4500995/3171)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
查看Crypto map
R1#show crypto map
Crypto Map "mymap"1 ipsec-isakmp
Peer =23.1.1.2
Extended IP access list 101
access-list 101 permit ip192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Current peer: 23.1.1.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset,
}
Interfaces using crypto map mymap:
FastEthernet0/1
R2#show crypto map
Crypto Map "mymap"1 ipsec-isakmp
Peer =13.1.1.1
Extended IP access list 101
access-list 101 permit ip192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 13.1.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset,
}
Interfaces using crypto map mymap:
FastEthernet0/1